feat: add CMMC 2.0 compliance skill#31
Open
sjackson0109 wants to merge 5 commits intoSushegaad:mainfrom
Open
Conversation
OVERVIEW
--------
This commit delivers a complete, end-to-end Claude skill for ISO 31000:2018 Risk
Management. The skill covers the full standard -- Principles (Clause 4), Framework
(Clauses 5.1-5.6), and the Risk Management Process (Clauses 6.2-6.7) -- along with
five structured workflows, three on-demand reference files, a distributable .skill
archive, and full integration into the repository test suite and marketplace registry.
The skill is authored to the same standard as all other GRC skills in this repository:
trigger phrases in the SKILL.md frontmatter, output-format matrices, clause-cited
guidance, workflow templates, and on-demand reference file loading to preserve context
window efficiency.
STANDARD COVERAGE
-----------------
Standard : ISO 31000:2018 -- Risk management -- Guidelines
Published : February 2018 (replaces ISO 31000:2009)
Status : Current international standard; sector-agnostic; universally applicable
Note : ISO 31000 is a guidelines standard -- organisations cannot be certified
against it. It provides principles and a framework/process that integrate
into all other ISO Annex SL management system standards.
Three structural pillars covered in full:
Clause 4 -- Principles
All 8 risk management principles documented with practical descriptions and
assessment guidance (Integrated, Structured and comprehensive, Customised,
Inclusive, Dynamic, Best available information, Human and cultural factors,
Continual improvement).
Clause 5 -- Framework (6 components)
5.1 Leadership and Commitment
5.2 Integration
5.3 Design
5.4 Implementation
5.5 Evaluation
5.6 Improvement
Clause 6 -- Risk Management Process (8 activities)
6.2 Communication and Consultation (continuous throughout)
6.3 Scope, Context, and Criteria
6.4 Risk Assessment
6.4.2 Risk Identification
6.4.3 Risk Analysis
6.4.4 Risk Evaluation
6.5 Risk Treatment
6.6 Monitoring and Review
6.7 Recording and Reporting
FILES CREATED
-------------
plugins/iso31000/.claude-plugin/plugin.json
Claude Code plugin manifest. Contains name ("iso31000"), semantic version (0.1.0),
description, author (Hemant Naik), homepage, repository, license (MIT), and keywords
(iso31000, risk-management, risk-assessment, risk-treatment, risk-register,
enterprise-risk, grc). Required by test_plugin_structure.py for plugin discovery
and validation.
plugins/iso31000/skills/iso31000/SKILL.md
Core skill instruction file loaded into Claude context when the skill triggers.
Contains:
- YAML frontmatter with name, description, and 30+ trigger phrases covering ISO
31000, risk management framework, risk register, risk treatment, risk appetite,
risk tolerance, risk criteria, inherent risk, residual risk, risk identification,
risk analysis, risk evaluation, risk treatment plan, likelihood x consequence,
risk heatmap, risk workshop, bowtie analysis, FMEA, enterprise risk management,
ERM, operational risk, strategic risk, risk monitoring, board risk report, and
risk appetite statement.
- Persona definition: Claude adopts the role of an ISO 31000:2018 Risk Management
consultant and lead practitioner.
- Output format matrix mapping 9 task types to their required output format:
risk framework design, gap analysis, risk assessment, risk treatment plan, risk
appetite statement, risk workshop facilitation, policy/procedure generation,
integration guidance, and general questions.
- Standard overview with three-pillar structure diagram and a note distinguishing
ISO 31000 as a guidelines (non-certifiable) standard.
- Full Clause 4 principles table: 8 principles with practical descriptions, indexed
for assessment as Embedded / Partial / Not present.
- Full Clause 5 framework narrative covering all six components (5.1-5.6) with
evidence checklists and key outputs identified for each.
- Full Clause 6 process documentation including:
- ASCII process flow diagram showing the 8 activities and their relationships
- 5x5 Likelihood x Consequence matrix with RAG band thresholds and colour coding
- Risk identification technique overview with 7 named methods
- Inherent risk, control effectiveness, residual risk, and target residual risk
definitions
- Risk treatment options table (Avoid / Reduce / Transfer / Accept / Exploit)
with description and conditions for use
- Risk treatment plan column reference
- Monitoring triggers (periodic and event-driven)
- Recording and reporting requirements summary
- 5 Core Workflows with full templates:
1. Risk Framework Gap Analysis -- clause-by-clause assessment table with
example populated rows
2. Risk Register Development -- 16-column register template with standard
risk categories and scoring guidance
3. Risk Appetite Statement -- structured template with overarching narrative
and 8-category tolerance threshold table
4. Risk Workshop Facilitation Guide -- pre-workshop preparation checklist,
9-item agenda template with facilitator actions
5. Policy and Procedure Generation -- document control block requirements,
9-document minimum set table with clause mapping and mandatory indicator
- Integration mapping table documenting how ISO 31000 provisions apply within
ISO 27001, ISO 9001, ISO 42001, ISO 14001, ISO 45001, NIST CSF 2.0, and
COSO ERM, with specific clause and function references.
- Two integration guidance rules for operating an integrated risk register across
multiple management system standards.
- Reference file loading rules specifying which reference file to load per task
type to preserve context window efficiency.
plugins/iso31000/skills/iso31000/references/iso31000-framework.md
On-demand reference for Clause 5 framework topics. Loaded for: framework design
queries, gap analysis, leadership and governance questions. Contents:
- Framework PDCA cycle overview diagram
- Clause 5.1 design checklist with 7 requirements and evidence column
- Common gaps section for 5.1 (4 frequently observed deficiencies)
- Clause 5.2 integration maturity model: 4 levels (Ad hoc / Defined / Managed /
Optimised) with characteristics for each
- 7 integration diagnostic questions for gap assessment
- Clause 5.3 Design: PESTLE external context table with 6 factors and example
risk sources, internal context 6-question diagnostic
- Risk Management Policy required content (6 mandatory elements)
- Full RACI matrix for risk management activities across 5 stakeholder layers
(Board, Executive/CEO, CRO/Risk Function, Process Owners, All Staff) covering
7 risk management activities
- Minimum resource requirements (people, tools, training, time, budget)
- Communication and consultation design requirements (5 elements)
- Implementation roadmap template: 6 phases with activities, owner, and success
criteria from Foundation through Optimise stages
- Framework evaluation criteria table: 6 rows (one per framework component) with
evaluation questions and evidence sources
- Risk Management KPIs table: 6 KPIs with measurement method and target
- Framework design checklist: 19 checkpoints across 5 categories (Leadership and
Governance, Integration, Design, Process, Evaluation and Improvement)
plugins/iso31000/skills/iso31000/references/iso31000-risk-assessment-process.md
On-demand reference for Clause 6 risk assessment topics. Loaded for: risk registers,
workshops, identification techniques, scoring. Contents:
- Clause 6.3 scope definition: 5-element scope template with diagnostic questions
- Scope statement prose template
- PESTLE external context analysis table with columns for risk source, potential
impact on objectives, and current controls
- Internal context 6-question diagnostic
- Risk criteria: 5-point likelihood scale (Almost Certain through Rare) with label,
definition, and example frequency
- Risk criteria: 5-point consequence scale calibrated across four dimensions
(Financial, Reputational, Operational, Regulatory/Legal) from Negligible to
Catastrophic, with percentage of revenue thresholds for financial impacts
- Risk tolerance thresholds: 4 bands with score range, RAG label, and default
treatment decision
- 7 risk identification techniques with implementation detail:
1. Structured workshop / brainstorming: facilitation prompt sequence (5
questions), best-for guidance
2. SWOT analysis: 2x2 matrix showing risk type per quadrant
3. Process mapping / SIPOC: template with risk annotation at each SIPOC
element
4. Bowtie analysis: ASCII diagram showing causes, preventive controls, top
event, recovery controls, and consequences
5. FMEA: full column set (Process Step, Failure Mode, Effect, Severity,
Occurrence, Detection, RPN) with RPN threshold guidance
6. Taxonomy-based risk checklist: 8 categories with approximately 50 named
example risk types (Strategic, Financial, Operational, Technology/Cyber,
Compliance/Regulatory, Reputational, People/HR, Third Party/Supply Chain)
7. Risk description template: 6-field structured entry format
- Full risk register template: 19 columns (Risk ID, Category, Description, Source,
Existing Controls, Inherent L, Inherent C, Inherent Score, Control Effectiveness,
Residual L, Residual C, Residual Score, Band, Treatment Option, Owner, Target
Date, Review Date, Status)
- 5x5 L x C matrix rendered in ASCII with RAG colour coding and band legend
- Inherent vs residual vs target residual risk definitions table
- Qualitative vs semi-quantitative vs quantitative analysis comparison table
- Multi-dimensional analysis table showing console across 4 consequence dimensions
with guidance to use the highest single dimension (conservative approach)
- Risk evaluation 4-step process with treatment decision rules per band
- Prioritised risk summary output format (example table)
- Communication and Consultation (Clause 6.2): stakeholder consultation plan
template (6 stakeholder groups with interest, engagement method, frequency)
- Internal risk reporting schedule: 4 report types (Risk Register, Risk Dashboard,
Board Risk Report, Annual Risk Report, Incident/Near-miss report) with audience,
frequency, and contents
plugins/iso31000/skills/iso31000/references/iso31000-risk-treatment.md
On-demand reference for Clause 6.5+ treatment, appetite, monitoring, and reporting
topics. Loaded for: treatment plans, risk appetite, residual risk, monitoring.
Contents:
- Treatment option 1 -- Avoid: definition, 4 conditions for use, 4 specific
examples, consideration note about foregone opportunity
- Treatment option 2 -- Reduce: preventive controls (6 types with examples),
detective controls (5 types with examples), recovery controls (5 types with
examples); control effectiveness rating scale with 3 levels and definitions
(Effective, Partially Effective, Ineffective)
- Treatment option 3 -- Transfer: 4 mechanisms table (insurance, contractual
transfer, joint venture/shared ownership, derivatives/hedging) with how-it-works
and best-for columns; 4 important limitations of transfer (responsibility,
full loss coverage, counter-party risk, reputational risk cannot be transferred)
- Treatment option 4 -- Accept: 3 conditions for use; seniority-based acceptance
authority matrix by risk band (Low to Critical); 4 documentation requirements;
contingency plan requirement for accepted risks above Medium
- Treatment option 5 -- Exploit: definition and 3 examples for opportunity risks
- Full risk treatment plan template: 14 fields including Risk ID, Description,
Category, Current Residual Risk, Treatment Option, Target Residual Risk, Actions
table (with Action, Description, Owner, Resources Required, Due Date, Status
columns), Success Measures/KPIs, Review Date, Plan Owner, Approved By, Approval
Date
- Treatment selection decision framework: 5-step logical decision tree from
appetite comparison through to escalation
- Risk appetite framework: 4 definition table (appetite, tolerance, capacity,
attitude) with key relationship formula Appetite <= Tolerance <= Capacity
- Risk appetite statement template: overarching narrative placeholder plus 8-row
category table (Strategic, Financial, Operational, Cyber/Technology, Compliance/
Regulatory, Reputational, Environmental/ESG, People/HR) with Appetite Statement,
Tolerance Threshold, and Escalation Path columns
- 4 practical usage rules for applying risk appetite (assessment gate, investment
decisions, escalation trigger, annual review)
- Monitoring schedule table: 6 activities (risk register review, control
effectiveness testing, board reporting, executive dashboard, full reassessment,
incident/near-miss review) with frequency, owner, and output
- 8 event-driven monitoring triggers
- Control testing programme template: 5 example controls with test method,
frequency, and evidence
- Required records table: 9 record types (Risk Register, Risk Assessment Reports,
Risk Treatment Plans, Risk Acceptance Decisions, Board Risk Reports, Control
Testing Records, Incident/Near-Miss Log, Framework Evaluation Records, Risk
Appetite Statement) with purpose and minimum retention period
- Board risk report template: 9-section content outline
- Risk dashboard template: monthly executive summary format description
- Process-owner level risk register summary format description
- 5 risk communication best practices
ISO 31000 - Claude Skill/ISO-31000-README.md
End-user facing README for the skill. Follows the standard repository README
format used by all other skills in this repository. Contains:
Section 1 -- What Does the Skill Do: full capability description, standard
version coverage, list of all clauses and pillars covered, note on non-
certifiable nature of the standard.
Section 2 -- Intended Audiences: 7 named audience types (CROs and Risk Managers,
Compliance and assurance teams, Board secretaries and governance professionals,
Project managers, Internal auditors, Consultants, Operations managers) with
role descriptions and use case context.
Section 3 -- Common Use Cases: 12-row table with use case name and example prompt
(framework gap analysis, risk register development, risk treatment plan, risk
appetite statement, risk workshop facilitation, risk management policy, framework
design, risk criteria definition, integration question, board risk report,
monitoring and review, FMEA/Bowtie).
Section 4 -- How to Use the Skill: auto-activation explanation, 3 tips for best
results with example prompts demonstrating context provision, task type
specification, and clause referencing; worked interaction example showing a
logistics SME risk register request.
Section 5 -- Skill Implementation Details: directory architecture diagram, SKILL.md
contents summary, reference file contents table (3 files with descriptions),
list of inputs used to build the skill (ISO 31000:2018, ISO 31010:2019, ISO
Guide 73:2009, ISO Annex SL mapping, COSO ERM 2017, common ERM practice), and
trigger phrases list (30+ activation topics).
Section 6 -- Author: attribution block with version (0.1.0), date (April 2026),
and standard coverage.
ISO 31000 - Claude Skill/iso31000.skill
Distributable ZIP archive for direct Claude installation. Internal archive
structure:
iso31000/SKILL.md
iso31000/references/iso31000-framework.md
iso31000/references/iso31000-risk-assessment-process.md
iso31000/references/iso31000-risk-treatment.md
SKILL.md is located at exactly one directory level deep (iso31000/SKILL.md) per
the Claude skill installer requirement. No path traversal entries. No absolute
paths. All entries are under the iso31000/ top-level folder. Validated as a valid
ZIP file by all archive tests in test_skill_installability.py.
FILES MODIFIED
--------------
.claude-plugin/marketplace.json
Added iso31000 entry to the plugins array with the following fields:
name : "iso31000"
source : "./plugins/iso31000"
description : "ISO 31000:2018 Risk Management advisor -- risk framework design,
gap analysis, risk register development, risk treatment planning,
risk appetite statements, monitoring and review, board risk
reporting, and integration with ISO 27001, ISO 9001, and
ISO 42001."
version : "0.1.0"
author : Hemant Naik <hemant.naik@gmail.com>
homepage : https://sushegaad.github.io/Claude-Skills-Governance-Risk-and-Compliance/
category : "compliance"
keywords : iso31000, risk-management, risk-assessment, risk-treatment,
risk-register, enterprise-risk, erm, grc
tests/test_plugin_structure.py
Added "iso31000" to the EXPECTED_PLUGINS set (line 35). This set is used by two
inventory sanity tests:
test_all_expected_plugins_present -- asserts all expected dirs exist
test_no_unexpected_plugins -- asserts no unlisted dirs are present
Without this addition, test_no_unexpected_plugins would fail when it discovers
plugins/iso31000/ is not in the expected set.
tests/test_skill_installability.py
Added "iso31000.skill" to the EXPECTED_SKILLS set (line 181). This set is used
by two inventory sanity tests:
test_all_expected_skills_present -- asserts all expected .skill files exist
test_no_unexpected_skills -- asserts no unlisted .skill files are present
Updated the docstring on test_all_expected_skills_present from "All 9 expected"
to "All 10 expected" to reflect the updated total count.
TEST RESULTS
------------
Test runner : pytest 8.3.2
Python : 3.13.5
Command : python -m pytest tests/ --tb=short -q
Result : 187 passed, 0 failed, 0 errors
Per-test results for iso31000 (parametrised across all plugins and skill archives):
test_plugin_json_exists[iso31000] PASSED
test_plugin_json_is_valid[iso31000] PASSED
test_plugin_json_required_fields[iso31000] PASSED
test_plugin_version_semver[iso31000] PASSED
test_skills_directory_exists[iso31000] PASSED
test_skills_directory_has_one_skill_folder[iso31000] PASSED
test_skill_md_exists[iso31000] PASSED
test_skill_md_not_empty[iso31000] PASSED
test_no_files_outside_skill_folder[iso31000] PASSED
test_references_are_markdown[iso31000] PASSED
test_is_valid_zip[iso31000.skill] PASSED
test_archive_not_empty[iso31000.skill] PASSED
test_exactly_one_skill_md[iso31000.skill] PASSED
test_skill_md_exactly_one_level_deep[iso31000.skill] PASSED
test_no_path_traversal[iso31000.skill] PASSED
test_all_files_under_top_level_folder[iso31000.skill] PASSED
test_skill_md_not_empty[iso31000.skill] PASSED
test_references_under_skill_folder[iso31000.skill] PASSED
test_all_expected_plugins_present PASSED
test_no_unexpected_plugins PASSED
test_marketplace_json_exists PASSED
test_marketplace_json_valid PASSED
test_marketplace_lists_all_plugins PASSED
test_all_expected_skills_present PASSED
test_no_unexpected_skills PASSED
INTEGRATION COVERAGE
--------------------
ISO 31000:2018 is the foundational risk management standard that underpins the risk
provisions within all ISO Annex SL (High Level Structure) management system standards.
The skill explicitly documents integration points for:
ISO 27001:2022
Clause 6.1 -- Information security risk assessment and treatment process; Annex A
controls are selected and justified through the risk treatment process. A single
integrated risk register can serve both ISO 31000 and ISO 27001 by adding an
Annex A control reference column.
ISO 9001:2015
Clause 6.1 -- Risks and opportunities for the Quality Management System; Clause 8
operational risk controls. The ISO 31000 risk process provides the methodology
that ISO 9001 requires but does not specify.
ISO 42001:2023
Clause 6.1 -- AI-specific risk assessment; the AI system impact assessment (AISIA)
methodology for assessing societal and individual impacts of AI systems can be
structured using the ISO 31000 risk assessment process.
ISO 14001:2015
Clause 6.1 -- Risks and opportunities for the Environmental Management System;
environmental aspect and impact assessment structured per ISO 31000.
ISO 45001:2018
Clause 6.1 -- Occupational Health and Safety risk assessment; hazard identification
and risk controls methodology aligned to ISO 31000.
NIST Cybersecurity Framework 2.0
GOVERN and IDENTIFY functions; the ID.RA (Risk Assessment) category maps directly
to the ISO 31000 risk assessment process (Clauses 6.3-6.4).
COSO Enterprise Risk Management (2017)
Fully compatible; ISO 31000 risk assessment components map to the Strategy and
Objective-Setting, Performance, and Review and Revision components of COSO ERM.
CONTENT ACCURACY NOTES
-----------------------
All content is derived from the following authoritative sources and is presented
as documented fact, not inference or estimation:
ISO 31000:2018 -- Risk management -- Guidelines
Publisher: International Organization for Standardization
The 8 principles (Clause 4), 6 framework components (Clause 5.1-5.6), and
8 process activities (Clause 6.2-6.7) are documented as specified in the
standard. Process activity names, descriptions, and relationships (including
the continuous nature of communication/consultation and monitoring/review) are
per the standard text.
ISO 31010:2019 -- Risk management -- Risk assessment techniques
Informs the risk identification technique section. All 7 techniques included
(brainstorming, SWOT, PESTLE, SIPOC/process mapping, bowtie, FMEA, checklists/
taxonomies) are listed in ISO 31010:2019 as suitable risk assessment techniques.
FMEA column structure (Severity, Occurrence, Detection, RPN) follows ISO 31010
guidance.
ISO Guide 73:2009 -- Risk management -- Vocabulary
Source for all risk management definitions used in the skill: risk, risk
management, risk appetite, risk tolerance, risk criteria, inherent risk,
residual risk, risk owner, risk treatment, risk source, event, consequence,
likelihood, control.
ISO Annex SL / ISO Directives Part 1 (Consolidated ISO Supplement)
Basis for the integration mapping table. All Annex SL standards share the same
mandatory clause structure with Clauses 4 (Context), 6 (Planning including risk
assessment), 9 (Performance evaluation), and 10 (Improvement).
COSO Enterprise Risk Management -- Integrating with Strategy and Performance (2017)
Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Referenced for integration notes only. Compatibility statements are based on
the documented relationship between ISO 31000 and COSO ERM frameworks.
Where implementation guidance represents established professional practice rather
than a direct normative requirement of the standard (for example, specific consequence
scale calibration percentages, tolerance threshold scores, or report formats), this
is presented as a template or example to be adapted by the organisation, not as
a requirement of the standard. This distinction is maintained throughout the skill
and reference files.
BRANCH
------
Branch : feature/iso3001-skill
Base : main (tag 0.3.0, commit 55346eb)
Framework: Cybersecurity Maturity Model Certification (CMMC) 2.0
Regulatory basis: 32 CFR Part 170 (Final Rule, effective December 16, 2024)
CMMC 2.0 is the DoD cybersecurity certification program for defense contractors
and subcontractors in the Defense Industrial Base (DIB) that handle Federal
Contract Information (FCI) or Controlled Unclassified Information (CUI).
Files added
-----------
plugins/cmmc/.claude-plugin/plugin.json
- Plugin manifest with name, version (1.0.0), description, author, keywords
- Registered in Claude Code plugin registry format
plugins/cmmc/skills/cmmc/SKILL.md
- Main skill instruction file with YAML frontmatter trigger description
- Framework overview covering CMMC 2.0 regulatory basis (32 CFR Part 170,
DFARS 252.204-7012/7019/7020/7021, NIST SP 800-171 Rev 2, NIST SP 800-172)
- Three-level structure: Level 1 (17 practices, FCI, self-assessment),
Level 2 (110 practices, CUI, C3PAO triennial), Level 3 (134 practices,
CUI critical programs, DIBCAC)
- Domain and practice count table for all 14 Level 2 domains
- Additional 24 Level 3 enhanced practice breakdown by domain
- Reference file routing table for context-aware loading
- Core workflows: level determination, scoping, gap analysis, SSP documentation,
SPRS score calculation, POA&M development, assessment process overview,
annual affirmation, CUI categories, and common misconceptions
plugins/cmmc/skills/cmmc/references/level1-practices.md
- All 17 Level 1 practices sourced from FAR 52.204-21
- Practices organized by domain: AC (4), IA (2), MP (1), PE (4), SC (2), SI (4)
- Self-assessment methodology (4-step process)
- Evidence examples per practice
- Common Level 1 deficiencies with root cause descriptions
plugins/cmmc/skills/cmmc/references/level2-practices.md
- All 110 Level 2 practices from NIST SP 800-171 Rev 2
- Complete practice-by-practice table across all 14 domains with NIST references
- SPRS score deduction reference: high (-5), medium (-3), low (-1) weights
- Critical evidence requirements by domain for C3PAO assessment preparation
- DFARS 252.204-7012 incident reporting obligations (72-hour DoD notification,
90-day image preservation)
plugins/cmmc/skills/cmmc/references/level3-practices.md
- All 24 additional Level 3 enhanced practices from NIST SP 800-172
- Organized by domain: AC (4), AT (1), CM (1), IA (1), IR (4), RA (5),
CA (3), SC (3), SI (2)
- DIBCAC assessment process in detail (5 phases)
- Level 3 preparation checklist covering SOC/CSOC, threat hunting, deception
technologies, penetration testing, threat intelligence, APT training, insider
threat program, incident response team, hardware isolation, key management
plugins/cmmc/skills/cmmc/references/scoping-guide.md
- Six CMMC asset categories with definitions and examples:
CUI Assets, Security Protection Assets (SPAs), Contractor Risk Managed
Assets (CRMAs), Specialized Assets (OT/ICS, IoT, GFE), Out-of-Scope Assets,
External Service Providers (ESPs)
- FCI and CUI definitions with NARA CUI Registry reference
- Common DoD CUI categories (CTI, Export Controlled, PBI, NNPI, Privacy)
- 8-step scoping process from CUI identification through SSP documentation
- Network segmentation recommendations for scope reduction
- Common scoping mistakes with consequences
plugins/cmmc/skills/cmmc/references/assessment-guide.md
- Cyber-AB and C3PAO ecosystem description with marketplace reference
- Level 2 C3PAO assessment process (5 phases): pre-assessment, engagement,
execution, results/certification, annual affirmation
- SPRS score calculation using DoD Assessment Methodology v1.2.1 deduction
weights; scoring table with conditional certification thresholds
- SPRS submission process via DIBNet portal
- Domain-by-domain evidence requirements for C3PAO assessment
- POA&M format, conditional certification rules (180-day closure requirement),
and closure verification process
- CMMC contract clause summary (FAR 52.204-21, DFARS 252.204-7012/7019/7020/7021)
CMMC - Claude Skill/CMMC-README.md
- Human-readable README with use-case table, skill structure tree,
official resource links, and disclaimer
CMMC - Claude Skill/cmmc.skill
- ZIP archive (30,556 bytes) with correct internal structure:
cmmc/SKILL.md (one level deep, per installer specification)
cmmc/references/*.md (5 reference files)
Files modified
--------------
.claude-plugin/marketplace.json
- Added CMMC entry with name, source path, description, version, category,
and keywords
tests/test_plugin_structure.py
- Added 'cmmc' to EXPECTED_PLUGINS set
tests/test_skill_installability.py
- Added 'cmmc.skill' to EXPECTED_SKILLS set
Test results
------------
187 tests passed, 0 failed
Covers: plugin structure, JSON validity, semver versioning, SKILL.md existence
and content, archive structure, path safety, marketplace registration
feat: Add ISO 3001 Compliance Skill
Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
Agent-Logs-Url: https://github.com/sjackson0109/Claude-Skills-Governance-Risk-and-Compliance/sessions/bd6aa6dd-bc0d-40a9-b34b-0123b47c068d Co-authored-by: sjackson0109 <38080190+sjackson0109@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request adds a complete CMMC 2.0 (Cybersecurity Maturity Model Certification) compliance skill for Claude.
CMMC 2.0 is the DoD cybersecurity certification program for the Defense Industrial Base (DIB). The Final Rule (32 CFR Part 170) was published October 15, 2024 and became effective December 16, 2024. It establishes mandatory cybersecurity certification requirements for contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Framework Coverage
Regulatory Basis:
Three Certification Levels:
Files Added
Files modified:
.claude-plugin/marketplace.json— CMMC plugin entry addedtests/test_plugin_structure.py— 'cmmc' added to EXPECTED_PLUGINStests/test_skill_installability.py— 'cmmc.skill' added to EXPECTED_SKILLSSkill Capabilities
The skill enables Claude to act as an expert CMMC 2.0 advisor for:
Test Results
All 187 tests pass:
Content Accuracy
All content is sourced from official publications only: